I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them.

Most systems administrators describe the task of network security as something like defending a castle. Kristin Heckman talks about fighting hackers in terms that sound more like a job as a Walmart greeter.

“We want to provide these individuals with an enjoyable experience,” she says of the intruders on her network. “We want them to come into the system, get what they think they want to get, and leave essentially as happy customers.”

Last month Heckman, a researcher for the non-profit IT research corporation MITRE, gave a talk with fellow MITRE researcher Frank Stech at Purdue’s Center for Education and Research in Information Assurance and Security and described a cyber war game scenario MITRE played out internally in which she and Stech tried an unorthodox defensive strategy: Instead of trying to purge a Red Team of hackers from a Blue Team’s network they were defending, Heckman and Stech let the attackers linger inside, watched them, and fed them confusing misinformation. The result: despite the Blue Team’s network being deeply compromised by the Red Team’s hackers, Blue managed to trick Red into making the wrong moves and losing the game.

Although both Heckman and Stech declined to talk to me about their lecture, the presentation (video here) suggests an alternative approach to what the cybersecurity industry calls “advanced persistent threat” (APT) hackers–state-sponsored, sophisticated intruders who have penetrated hundreds of corporations and government agencies in recent years and siphoned vast amounts of information. “Traditional methods of trying to block unauthorized access, APTs, is essentially a game of whack-a-mole,” Heckman said in the talk. “It’s shutting systems down, patching systems, reissuing credentials, and in the end you don’t learn much about the adversary. We didn’t want to do that. We want to let them into a controlled environment so that we can learn more about them.” And in some cases, mislead them, too.

In MITRE’s five-day virtual war game, which the group played out in late January of 2012, the Blue Team was given a mission titled Operation Beggar’s Banquet, of killing a fictional terrorist leader named Richard Hakluyt. The scenario dictated that Hakluyt had holed up in a compound in the fictional People’s Republic of Virginia, (represented by the Red Team) which was in a state of cold war with the equally fictional Republic of New England, represented by Blue. Blue’s secret mission was to parachute a special operations group next to Hakluyt’s compound, which would use a laser designator system to help a gunship target the compound and blow it up, before deploying a Fulton Surface-To-Air-Recovery plane to retrieve the special ops team.

Things started badly for Blue. While the game was still in its first day of pre-action planning, Red’s hackers immediately breached Blue’s network and gained access to all of its mission plans, which had been stored on an internal wiki.

MITRE's diagram showing a pre- and post-breach network. After the breach, the defenders maintain an internal perimeter while seeding the area outside of it on the network with misinformation. (Click to enlarge.)

“Red had everything. They had our full plan,” Heckman told the Purdue crowd. “We had to do some quick scrambling to figure out how to react to that.”

Stech and Heckman had worked on a so-called “denial and deception” system they called BlackJack, which they planned to use to create a parallel version of Blue’s network in real time to misdirect Red’s hackers with false information. But Red quickly saw through Blue’s ruse, they say, gaining access to both versions of its mission content. And due to performance lags in BlackJack’s real-time creation of the fake data, Red could even discern which was the real version and which was fake. “We were in a pickle,” says Stech.

But Blue found that it had one advantage: Every Blue user had the same browser and operating system, and Red had made the mistake of using different software. So Blue was able to detect which accounts Red was accessing, and start manually feeding specific misinformation to those compromised accounts.

According to Heckman and Stech, Blue used those hacked accounts to feed Red a story about a member of Blue’s team who had foolishly planned to kill Hakluyt when in fact, a murder would be too politically incendiary to risk. Blue went on to create an alternate story that it planned to instead track and then kidnap Hakluyt by using information provided by a double agent within Red’s team that Blue called “Cotton Dollar.”

Red, perhaps overconfident after detecting Blue’s first try at deception, swallowed this second story whole. “Really, it was a fantastic cover story to correct for the big mistakes we had on day one,” said Heckman. “We were able to determine from Red’s actions…that Red bought it hook, line and sinker.”

Blue used its compromised accounts to feed Red information about when it planned to use its informant Cotton Dollar’s information to send a special forces team to kidnap Hakluyt during a trip outside the compound. As a result, Red made sure Hakluyt stayed put. “We had Red convinced we knew all of Hakluyt’s movements,” says Heckman. “It made Red ensure that Hakluyt actually stayed in his compound for protection. Which is exactly what we wanted, because we wanted to blow it up. It worked beautifully to our advantage.”

In the end, Blue carried out its original mission and destroyed Hakluyt’s compound with Hakluyt inside. Even then, Blue released propaganda that the compound blow-up was an accident. When the game ended, Red was still in a state of confusion, and Blue had won.

The kind of “denial and deception” or “D&D” techniques that Heckman and Stech described in their war game aren’t exactly new. Security researchers have long used so-called “honeypots”–usually carefully quarantined virtual machines–for observing hacker activity in a safe environment.

Still, when it comes to trying those tricks on hackers inside of real, sensitive networks, the best approach is probably “don’t try this at home.” Richard Bejtlich, chief security officer with the breach response firm Mandiant, which recently detailed in a report hundreds of breaches by a prolific team of sophisticated Chinese government hackers, says that creating a fake playground for observing and misinforming intruders can be a costly and dangerous game. “If you seed the network with fake data, how do your own users know what’s fake and real?,” Bejtlich asks. “If a user can make the distinction, the intruder can make the same distinction. Or you have to do so much work setting up a juicy fake network that I pretty much guarantee it takes more time to set up than it takes the intruder to figure out that it’s fake.”

Bejtlich does say that some of the best defensive teams he’s seen–usually companies that have dozens of staff devoted exclusively to network defense, such as military contractors–have the capabilities to quarantine attackers and feed them false information. But most companies should stick to the basics of defense rather than risk aggravating a breach. “The only time this works is when you have very high control of what the intruders are doing,” says Bejtlich. “You have to have your ‘A game’ down before you try trick plays.”

But at least within the controlled environment of MITRE’s war game, misinformation tactics let Heckman and Stech enjoy a satisfying win over their network’s outsmarted invaders. After the game, the Blue Team sent its conquered foes a fake Confederate dollar bill to taunt them over the imaginary “Cotton Dollar” informant Blue had invented.

“Don’t do that, that’s not good deception practice,” Stech added at the end of the talk with a smile. “You don’t want them to know they got fooled. You want them to go away happy, be good customers, and come back and get fooled again.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

my roomate’s half-sister makes $76 an hour on the internet. She has been fired for 9 months but last month her payment was $17993 just working on the internet for a few hours. Read more on this site >>>>>>>>>>>> BIG76 ℂℴℳ

This is is actually from work done for the DOE at Aquila technologies called Honeypot ( two puns for sweet tempting and porta potty with U know what ) the basic theme was originated in a project at Fort Belvoir called Operation Cockroach.

The work was not liked by typical Information technology ( including the fear and doom salesmen ) and bureaucrats whose job security was threatened when it took away funds for massive firewalls and security audits etc and replaced it with logic and thinking.

Its also 75% more effective than anything being done currently and gets away from security stupidity that does not and never will work with connectivity and security being two opposites

This tactic falls into the “disrupt” phase of the network use-of-force continuum that Spencer Wilcox and Brandon Dunlap are exploring at the Orlando Doctrine: http://orlandodoctrine.com/commuter-files/network-use-of-force-disrupt. The idea is that organizations need to start thinking about new ways to defend themselves akin to how we protect ourselves in the “real” world. We may reach a point where this type of defense is carried out by a network “security guard” whose role is very similar to the security guard standing outside office buildings.

my roomate’s half-sister makes $76 an hour on the internet. She has been fired for 9 months but last month her payment was $17993 just working on the internet for a few hours. Read more on this site >>>>>>>> BIG76 ℂℴℳ

It is premised on the great hubris of the geek, who thinks that he is always smarter than anyone else, particularly other, lesser geeks, and that he can always outsmart them and feed them lies, etc. Basically, use the Anonymous methods of denial and deceit which is already ingrained into coder culture.

Except, then they prove to be stupid and oops, they don’t even realize they’ve been pwned.

can’t help but notice the picture of hackers stealing the c2 missle system in the diagram…

I tell you how foreign governments really steal the source code. they use the front door. When your security guards, staffing companies, and engineering contractor starts to look and sound like terrorist who can barely speak English then you know you have covert agents walking around in the company planting spying software and network pinhole cameras in the Ceiling so they can launch a coup d’etat to take over the entire engineering department to steal the source code directly and prevent the company from hiring people who are not part of their minority-only terrorist gang to exclude all white americans from employment except those who are too old, too lazy, or easy to manipulate. the next thing you know the entire c2 missile system is being staffed and designed by dummies from Infosys, Wipro, TCS, network who sit around sabotaging the design then stealing and transfer the source code around between companies to resell it over and over again to anybody who will buy it by contracting them. I saw such a group in lockhead martin walking around, hiding out in their RV camper they had parked in the inner fence…camping out for days inside the company and just walking around whenever they wanted with anybody every questioning even when they looked out of place. its easy… take over the security guard position… then he lets in the RV camper drive right through the security gate …then they can campout for days without worrying about security checkpoints…

The other way cyber security is usually compromised is by allowing empolyees to work from home from VPN’s…. sooner or later some of the important files end up on a home computer where somebody has installed a rogue filesharing programs stealing sensitive files off of their computer without them knowing it. (possibly the kids?) its always how the copyrighted source code gets leaked onto the internet in a giant tar wad .. some employee has a home computer infected with a hacker filesharing program to steals mp3′s and other files off of his harddisk. the next thing you know the entire source code tree of the a c2 missle system in floating around on the internet…